wordpress · Check
WordPress readme.html exposed — removing the version-disclosing file
GET `/readme.html` returned 200. The WordPress readme file frequently discloses the running WordPress version, which lets attackers match your install against the public CVE database and pick exploits that target your exact build.
Why it matters
Version disclosure is a low-severity finding on its own, but it accelerates every other phase of an attack. Removing the file or returning 404 takes one line of nginx/Apache config.
Real-world risk
Version disclosure via readme.html helps attackers match your install against the public CVE database and pick exploits that target your exact build.
Fix steps (in order)
- Delete /readme.html and /license.txt from the WordPress root.
- If you can't delete the files, return 404 for them via your webserver: e.g. nginx `location = /readme.html { return 404; }`.
- Hide the WordPress generator meta tag too: add_filter('the_generator', '__return_empty_string');
- Verify with: curl -I https://your-site/readme.html (should return 404).
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (wp_readme_exposed) clears once the externally-observable signal is in place.